Harvest Now, Decrypt Later: The Invisible Threat

An Attack Strategy Already Underway

The Harvest Now, Decrypt Later (HNDL) strategy, sometimes called Store Now, Decrypt Later (SNDL), refers to an attack method in which an adversary intercepts and mass-stores encrypted communications today, with the intention of decrypting them later using a quantum computer. The principle is straightforward: data protected by classical algorithms such as RSA, ECDH, or ECDSA will become vulnerable as soon as a sufficiently powerful quantum computer becomes operational. State actors and groups with considerable resources have no reason to wait before beginning collection. The cost of data storage is negligible compared to the potential value of the secrets it contains. Every encrypted stream intercepted today represents a vault whose lock will one day be broken.

Why the Threat Is Present, Not Future

The most widespread misconception is to regard HNDL as a hypothetical problem, tied to the still-uncertain arrival of a cryptographically relevant quantum computer (CRQC). This analysis is fundamentally flawed. The collection is happening now. Intelligence agencies from several countries have publicly acknowledged the existence of programs for mass capture of encrypted traffic. The US National Security Agency issued a warning as early as 2015 about the need to migrate to quantum-resistant algorithms. In 2022, Presidential Memorandum NSM-10 formalized the urgency of the post-quantum transition for all federal agencies. In Europe, France's ANSSI and Germany's BSI have issued similar recommendations. The vulnerability window is not opening tomorrow — it has been open for years for any data whose confidentiality lifespan exceeds ten years.

The Most Exposed Sectors

Certain sectors are particularly vulnerable to the HNDL strategy due to the confidentiality lifespan of their data. The defense and intelligence sector handles classified information whose sensitivity can extend over several decades: strategic plans, diplomatic communications, agent identities. The healthcare sector manages medical records protected for life by medical confidentiality. The financial sector processes transaction data, investment strategies, and intellectual property whose exposure could cause systemic damage. Critical infrastructure — energy, telecommunications, transport — relies on command-and-control protocols whose compromise could have physical consequences. Finally, law firms and research institutions hold trade secrets and patents whose premature disclosure would represent a decisive competitive advantage for an adversary.

Documented Precedents

Declassified intelligence reports leave no doubt about the reality of HNDL collection. Edward Snowden's revelations in 2013 showed that the NSA was systematically intercepting and storing encrypted data streams as part of the UPSTREAM program. In 2024, France's National Information Systems Security Council (CNSSI) published a technical note confirming that "the harvest threat is now considered proven for classified data." The 2023 European Parliament report on the quantum threat highlighted that China is investing more than $15 billion in quantum technologies and is already deploying a quantum communication network spanning over 4,600 kilometers. ENISA's 2025 annual report now classifies the HNDL threat in the "high probability, critical impact" category. These elements converge toward an unequivocal finding: HNDL collection is an operational reality, not a forward-looking scenario.

How Post-Quantum Cryptography Protects Against HNDL

The only effective countermeasure against HNDL is to encrypt data with algorithms that even a quantum computer will not be able to break. This is precisely the goal of post-quantum cryptography (PQC). The standards published by NIST in August 2024 — ML-KEM (FIPS 203) for key encapsulation and ML-DSA (FIPS 204) for digital signatures — are based on mathematical problems different from those exploited by Shor's algorithm. The structured lattices on which ML-KEM relies resist both classical and quantum computers. By deploying PQC algorithms now, organizations ensure that data intercepted today will remain unreadable even when CRQCs become operational. The hybrid approach, combining a classical algorithm (for example ECDH) with a post-quantum algorithm (ML-KEM), enables a progressive transition while guaranteeing security against both types of threats.

Act Now: Concrete Steps

The migration to post-quantum cryptography cannot be improvised. Organizations must first conduct a comprehensive cryptographic inventory: identify all algorithms, protocols, and certificates used in their infrastructure. This mapping allows for an assessment of the actual exposure to the HNDL threat. Next, it is essential to prioritize by sensitivity: data whose confidentiality lifespan exceeds ten years must be migrated first. The third step involves deploying hybrid solutions on the most critical channels, starting with VPNs, site-to-site links, and sensitive data tunnels. It is also necessary to integrate PQC into procurement criteria and security solution purchasing requirements. Finally, technical teams must be trained on the new FIPS 203 and 204 standards to ensure correct integration. ANSSI recommends that all organizations subject to NIS2 and DORA should have initiated their migration plan by the end of 2026. The time for deliberation is over — the time for action has begun.